Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Droot Internals
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Yuuki Tsubouchi (yuuk1)
April 23, 2016
Technology
20k
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Droot Internals
id:y_uuki
第9回 コンテナ型仮想化の情報交換会@福岡
Yuuki Tsubouchi (yuuk1)
April 23, 2016
More Decks by Yuuki Tsubouchi (yuuk1)
See All by Yuuki Tsubouchi (yuuk1)
「アラーティング」の話をしよう— SREconや論文等の最先端とのギャップをみる
yuukit
7
1.7k
SAKURAONE:An Open Ethernet-based AI HPC System And Its Observed Workload Dynamicsin a Single-Tenant LLM Development Environment
yuukit
1
420
AIスーパーコンピュータにおけるLLM学習処理性能の計測と可観測性 / AI Supercomputer LLM Benchmarking and Observability
yuukit
1
980
SREはサイバネティクスの夢をみるか? / Do SREs Dream of Cybernetics?
yuukit
3
600
SREのためのテレメトリー技術の探究 / Telemetry for SRE
yuukit
13
3.7k
AIスパコン「さくらONE」の オブザーバビリティ / Observability for AI Supercomputer SAKURAONE
yuukit
2
1.5k
AIスパコン「さくらONE」のLLM学習ベンチマークによる性能評価 / SAKURAONE LLM Training Benchmarking
yuukit
2
1.2k
とあるSREの博士「過程」 / A Certain SRE’s Ph.D. Journey
yuukit
11
7k
eBPFを用いたAIネットワーク監視システム論文の実装 / eBPF Japan Meetup #4
yuukit
3
1.8k
Other Decks in Technology
See All in Technology
【FinOps】データドリブンな意思決定を目指して
z63d
3
600
ゼロをイチにする仕事が終わったあと
smasato
0
270
スタートアップにおけるアジャイルの実践について #shibuyagile
murabayashi
3
2k
インフラ寄りSREでも 開発に踏み出せる〜境界を越えてユーザー体験に向き合いたい〜
sansantech
PRO
0
140
『AIに負けない』より『AIと遊ぶ』」〜ワクワクが最強のテスト・QA学習戦略_公開用
odan611
1
370
CSに"SLO"は要らない、経営層に"99.9%"は伝わらない - SREを全社に"翻訳"する3原則
cscengineer
PRO
0
110
プロンプト_きのこカンファレンス2026_LT
yurufuwahealer
0
130
RAGの精度向上とエージェント活用
kintotechdev
2
120
CVE-2026-20833_脆弱性対応とAES 化について
jukishiya
0
350
攻撃者がいなくてもAIエージェントはインシデントを起こす
nomizone
0
190
AWS Summit Japan 2026の振り返りと2027へ向けて / AWS Summit Japan 2026 Recap and Prospects for 2027
kaminashi
1
190
Kotlin 開発のツラミを爆破した話! / Explode the difficulty of Kotlin dev!
eller86
0
140
Featured
See All Featured
Art, The Web, and Tiny UX
lynnandtonic
304
22k
Rebuilding a faster, lazier Slack
samanthasiow
85
9.5k
Applied NLP in the Age of Generative AI
inesmontani
PRO
4
2.3k
How Software Deployment tools have changed in the past 20 years
geshan
0
34k
Ten Tips & Tricks for a 🌱 transition
stuffmc
0
150
Facilitating Awesome Meetings
lara
57
7k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
1
1.4k
Joys of Absence: A Defence of Solitary Play
codingconduct
1
410
Game over? The fight for quality and originality in the time of robots
wayneb77
1
220
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
Into the Great Unknown - MozCon
thekraken
41
2.6k
Transcript
%SPPU*OUFSOBMT JEZ@VVLJ ୈ̕ճίϯςφܕԾԽͷใަձ!Ԭ
id:y_uuki @y_uuk1 ͯͳ!ژ ΣϒΦϖϨʔγϣϯΤϯδχΞ
IUUQZVVLJIBUFOBCMPHDPNFOUSZESPPU
TL;DR • ιϑτΣΞґଘࠈͷղܾͷͨΊʹ DockerΛ͍͍ͨ • ຊ൪ڥͰDockerΛӡ༻͢ΔͷͭΒ͍ • ʮBuild, Ship, Runʯͱ͍͏ίϯηϓτ͖
• DockerΠϝʔδΛS3Λܦ༝ͯ͠͠ɺ chrootͰ࣮ߦ͢Δख๏ͷఏҊ
ԾԽٕज़ )8ԾԽ 04ԾԽ ,7. 9FO ʜ γεςϜίϯςφ -9$ ΞϓϦέʔγϣϯ ίϯςφ
%PDLFS
ͳͥ()DockerΛ͏ͷ͔ • ✘ VMΑΓߴ • ✘ Πϛϡʔλϒϧ • ✘ Φʔτεέʔϧ
• ˚ ϙʔλϏϦςΟ • ◦ ϓϩάϥϚϒϧͳϗετڥ • ◦ ιϑτΣΞґଘࠈͷղܾ
ιϑτΣΞґଘࠈ • ͋ΔιϑτΣΞ͍͍ͨͯෳͷιϑτ ΣΞʹґଘ͢Δ • ґଘઌͷιϑτΣΞ·ͨෳͷιϑτ ΣΞʹґଘ͢Δ • ಉ͡ڥΛ࠶ݱ͢Δͷ͕͍͠ •
BundlerͳͲΛͬͯCͷϥΠϒϥϦʹ ґଘ͢Δ͜ͱ
Docker • LinuxͷσΟετϦϏϡʔγϣϯڥ ͝ͱݻΊͯΠϝʔδԽ • /lib, /usr/bin, /etcͳͲͥΜͿ • Linux
NamespacesͰಠཱͨ͠ڥΛ ࡞ͬͯΠϝʔδΛల։
DockerࠔΔ͜ͱ • Docker Engineͷෆ҆ఆ͞ • ωοτϫʔΫ·ΘΓͷύϑΥʔϚϯεྼԽ • ίϯςφͷΰϛআ • ίϯςφͷແఀࢭσϓϩΠ
• ίϯςφͷϩάཧ • ίϯςφͷࢹ • ίϯςφͷσόοά • Docker Registryͷӡ༻
chroot
chroot ☓ Docker ͷΞΠσΞ EPDLFSQVMMNZTRM $0/5"*/&3@*% EPDLFSDSFBUFNZTRM EPDLFSFYQPSU$0/5"*/&3@*%PNZTRMUBS NZTRMUBSΛ.Z42-Λಈ͔͍ͨ͠ϗετίϐʔ
͢Δɻ UBSYG[WBSDPOUBJOFSTNZTRMNZTRMUBS TVEPDISPPUWBSDPOUBJOFSTNZTRMNZTRME
None
࠷ۙͷΞϓϦέʔγϣϯσϓϩΠ • git pull͕͍ • σϓϩΠαʔό͔Βͷrsync͍ • tarball σϓϩΠ •
ՌΛS3ͳͲʹஔ͠ɺσϓϩΠઌͰ s3 cp Ͱμϯϩʔυͯ͠ల։ • Serf/Consul • σϓϩΠαʔό͔ΒͷSSH͕͍ͨΊ
Droot
#VJME 4IJQ 3VO ESPPUSVO EPDLFSCVJME ESPPUFYQPSU EPDLFS EBFNPO 4UPSBHF 4
ESPPUEFQMPZ BXTTDQ BXTTDQ
%PDLFS %SPPU #VJME EPDLFSCVJME EPDLFSCVJME 3FHJTUSZ %PDLFS)VC %JTUSJCVUJPO ͳΜͰΑ͍ "NB[PO4
'JMF'PSNBU %PDLFSJNBHF ͳΜͰΑ͍ FYUBSH[ $POUBJOFS -JOVY /BNFTQBDFT DISPPU
$ droot export • DockerΠϝʔδͷϑΝΠϧγεςϜΛtarܗࣜͰग़ྗ • جຊ docker create &&
docker export • gzip / aws cli ͱͷύΠϓʹΑΓɺtar.gzԽͯ͠S3ʹஔ • ϑΝΠϧγεςϜʹdrootઐ༻ͷڥมϑΝΠϧ (/.drootenv) ΛࠐΉ ESPPUFYQPSUEPDLFSpMFTBQQcH[JQDR cBXTTDQTCVDLFUBQQUBSH[
$ droot deploy • ඪ४ೖྗ͔ΒtarΞʔΧΠϒΛಡΈࠐΈɺࢦఆ͠ ͨσΟϨΫτϦʹల։ • සൟʹߋ৽͞ΕΔίϯςφͷσϓϩΠΛఆ • rsync
mode ͱ symlink mode BXTTDQTCVDLFUBQQUBSH[c HVO[JQDRcESPPUEFQMPZSPPUWBSDPOUBJOFST
symlink ʹΑΔ atomic deploy • σϓϩΠࡁΈͷίϯςφ ڥΛࠩ͠ସ͑Δඞཁ͕͋Δ • https://gist.github.com/ datagrok/3807742#file-
symlink-replacement-md • symlink Λ rename(2)ɹ (mv -T) ͰΓସ͑Δ͜ͱ ʹΑΓΞτϛοΫʹσΟϨ ΫτϦΛࠩ͠ସ͑Δ ᵓᴷᴷBQQBQQENBJO ᵓᴷᴷBQQE ᵋᴷᴷNBJO ᵋᴷᴷCJO ᵋᴷᴷCPPU ᵋᴷᴷEFW ᵋᴷᴷCBDLVQ ᵋᴷᴷCJO ᵋᴷᴷCPPU ᵋᴷᴷEFW
$ droot run • ࢦఆͨ͠σΟϨΫτϦΛchroot jailͱ࣮ͯ͠ߦ • σόΠεϑΝΠϧͷ࡞ (/dev/null, /dev/zeroͳͲ)
• ϗετͷ /etc/group, /etc/resolve.confͳͲΛίϐʔ • bind mountͰϗετଆͷҙͷσΟϨΫτϦΛϚϯτ • Linux capabilities(7) ͰݖݶΛ੍ TVEPESPPUSVODQCJOEWBSMPHSPPU ɹɹWBSDPOUBJOFSTBQQDPNNBOE
chroot(2) • ϓϩηεͷϧʔτσΟϨΫτϦΛมߋ • ϓϩηεͷઈରύεͷ୳ࡧىͷมߋͷΈ • ϓϩηεΛੜͨ͠Γ͠ͳ͍ • ΧϨϯτσΟϨΫτϦͦͷ··ͳͷͰcrhootίʔ ϧޙʹchdir(“/“)͢Δ͜ͱ͕ଟ͍
• jailڥ֎ͷϑΝΠϧషΒΕͨγϯϘϦοΫϦϯ ΫΞΫηεͰ͖ͳ͍
BindϚϯτ • Linux 2.2͔Βಋೖ • σΟϨΫτϦϑΝΠϧΛଞͷҐஔϚϯτ • chroot jailڥ͔ΒϚϯτઌͷϑΝΠϧσΟϨ ΫτϦΞΫηεͰ͖Δ
• /var/containers/app/var/log ͱ͔ࢀর͢Δͷ໘ • mount -o bind /var/log /var/containers/app/var/log • ϗετͷ /var/log Λڞ༗
LinuxέʔύϏϦςΟ • chroot(2)ಛݖϓϩηεͰͳ͍ͱίʔϧͰ͖ͳ͍ • (ݫີʹCAP_SYS_CHROOT) • ͔͠͠ɺεʔύʔϢʔβͰಈ͔͢ͷෆ҆ • εʔύʔϢʔβͰಈ͔ͭͭ͠ɺcapabilities(7)Ͱඞཁͳ ݖݶҎ֎Λམͱ͓ͯ͘͠
• CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_SETGID, CAP_SETUID, CAP_NET_BIND_SERVICE ΛڐՄ
Problems
• Docker (NamespacesΛͬͨίϯςφ)΄Ͳͷɹ ϙʔλϏϦςΟͳ͍ • Dockerίϯςφͷڥม͕Ҿ͖ܧ͕Εͳ͍ • Dockerίϯςφ্ͷ user/group ͕σϓϩΠઌ
ϗετʹ͍ͳ͍ ϙʔλϏϦςΟͷ
• ڥมϑΝΠϧͱͯ͠ӬଓԽ͞Εͳ͍ͷͰɺ Ұ୴ϑΝΠϧʹอଘ • droot export ͰҰ୴Dockerίϯςφͱͯ͠ىಈ͞ ͔ͤͯΒ env ίϚϯυͷ࣮ߦ݁ՌΛ
/.drootenv ͱ ͯ͠อଘ • droot run Ͱ /.drootnenv ΛಡΈͩͯ͠ڥมΛ ෮ݩ • droot run —env ͰڥมͷՃɾ্ॻ͖Մೳ ڥมͷҾ͖ܧ͗
• User NamespacesͰ/etc/groupͳͲΛΈͯඞཁ ͳuser/grpupΛࣗಈ࡞ • ϓϩηεπϦʔߏΛ͔͑ͨ͘ͳ͍ͷͰɺclone(2) Ͱͳ͘ chroot(2) ޙʹ unshare(2)
͢Δ • clone(2) ͩͱࢠϓϩηεΛੜ͢ΔͨΊɺεʔ ύʔόΠβϓϩηεͷԼͰdroot runͨ͠ͱ͖ ʹɺγάφϧཧ͕͏·͍͔͘ͳ͍͔ user/groupͷࣗಈ࡞(ະ࣮)
• ͜Ε͓ͦΒ͘ PID Namespacesͷ • https://lwn.net/Articles/532748/ • NamespacesԼͷϓϩηε͕pid 1ͱͯ͠ৼΔ͏ඞཁ͕Ͱ ͯ͘Δ
• orphanϓϩηεͷճऩ͢Δඞཁ͕͋Δ
ίϯςφ ࣗͰ࡞ΕΔ
(PMBOH
• github.com/docker/docker/pkg • archive, devicemapper, fileutils, mount, symlink… • github.com/opencontainers/runc/libcontainer
• Linux Namespaces·ΘΓ • https://github.com/syndtr/gocapability • LinuxέʔύϏϦςΟ • github.com/docker/engine-api • Docker APIΫϥΠΞϯτ ίϯςφπʔϧ͚ύοέʔδ
• ࣗ࡞ͷίϯςφπʔϧ Drootͷഎܠͱ࣮ • Build, Ship, RunΛ࣮ݱ͢Δୈ̏ͷιϑτΣΞ • droot export,
droot deploy, droot run • DockerͰΠϝʔδΛ࡞ͬͯ chroot Ͱ࣮ߦ • ϙʔλϏϦςΟͷͱͦͷղܾ • ίϯςφࣗͰ࡞ΕΔ ·ͱΊ
github.com/yuuki/droot